Certification path

ISO 42001 certification: Stage 1 and Stage 2

Certification to ISO/IEC 42001 is awarded by an accredited certification body through a two-stage audit. Understanding the difference between the two stages is what separates a smooth certification from a painful one — and it tells you exactly what a template kit can and cannot do for you.

How the audit works

Documents make you Stage 1 ready. Operating makes you Stage 2 ready.

Stage 1

Documentation & readiness review

The auditor checks whether the AIMS is designed, scoped and documented: context and scope, AI policy, roles and authorities, risk methodology, the Statement of Applicability and the core procedures. This is the stage a completed toolkit is built to satisfy. Expect readiness findings to close before progressing.

  • Context & scope statement
  • AI policy with top-management sign-off
  • Risk & impact methodology
  • Statement of Applicability (all ~38 Annex A controls)
  • Core procedures
Stage 2

Implementation & effectiveness audit

The auditor stops reading documents and starts sampling reality — evidence that the system actually operates. This can only be produced by running the AIMS for a period, so let it run and close Stage 1 findings first.

  • Completed SoA with a justified decision on every control
  • Performed AI risk assessment with approved treatment and residual-risk acceptance
  • At least one AI system impact assessment
  • Records that selected controls actually run
  • At least one internal audit with findings
  • A held management review

After Stage 2, certification is maintained through annual surveillance audits and a three-year recertification cycle.

The order that works

The implementation sequence auditors expect

Document dependencies mean order matters. Implement out of sequence and you rework earlier documents as later ones surface hidden assumptions. The proven sequence:

  1. 1

    Complete the AIMS Context & Scope Statement — before anything else. It anchors all later work.

  2. 2

    Build the AI System Register and populate the Interested Parties and Legal & Regulatory Obligations registers.

  3. 3

    Apply the AI Risk, Impact & Control Methodology and record risks in the Risk & Control Register.

  4. 4

    Complete AI Impact Assessments for in-scope systems with material impact potential.

  5. 5

    Construct the Statement of Applicability across all ~38 Annex A controls, based on the risk and impact outputs.

  6. 6

    Develop and approve the AI Policy with top-management signature.

  7. 7

    Implement operational procedures and registers across lifecycle, data, use and third-party controls.

  8. 8

    Establish the monitoring and review framework and begin generating live evidence.

  9. 9

    Conduct an internal audit against the full requirements of the standard.

  10. 10

    Hold a management review with documented minutes and an action log.

  11. 11

    Address findings and close corrective actions before the external audit.

What auditors actually look for

Conformance, implementation, effectiveness

External auditors test three things: does your documentation meet the standard (conformance), is the documented process actually followed (implementation), and is the system achieving its intended outcomes (effectiveness). Paper compliance fails the second and third tests.

The most scrutinised documents in a typical Stage 2 audit: the Statement of Applicability, the AI System Register, the AI Risk Register, the internal audit report, the management review minutes and the CAPA register. These tell the auditor whether the AIMS is real or performative.

How long it takes

Indicative timelines

Timelines depend on size and AI footprint; the AI risk & impact assessment usually takes the most time, and starting from a ready-made toolkit shortens it significantly.

Small organisation

~6–10 weeks to readiness

Medium organisation

~10–16 weeks

Large organisation

~16–24 weeks

Get Stage 1 ready fast — then operate to Stage 2

The toolkit delivers the full document set (Stage 1). Add human-verified support to run the system, or book an internal audit to test Stage 2 readiness before your certification body arrives.